Happy national cyber security awareness month!
Today I'll be exploring AJAX - an introduction to it, the vulnerabilities of using it, and then BONUS: a great hacker moment in history.
Okay lets get into it!
What is an AJAX?
AJAX coined in back in 2005 stands for Asynchronous JavaScript And XML.
A super-powered combination of existing technologies that give dynamic and uninterrupted web experiences. We can 'upvote' a show without reloading the WHOLE DAMN PAGE and interrupting our Netflix binge.
Truly, amazing.
Asynchronous Javascript binds the technologies together and the XMLHttpRequest sends requests for information to the server via HTTP.
The XML part? Its just the format of the request. Its kinda outdated and we don't use it too much anymore. Many sites now use JSON (JavaScript Object Notation) in place of XML. Fetch has replaced XMLHttpRequests.
We still use the acronym AJAX as a generic term to describe technologies working together to quickly save or retrieve small amounts of info from the server.
This is the point where I raise my hand in favor of renaming it to AJAW - Asynchronous JavaScript And Whatever.
Security Issues
Now that we know what AJAX is, lets talk about its vulnerabilities.
SPOILER ALERT! There are a lot.
I won't be going into each type of attack in this post, but more of WHY its possible.
As we learned, AJAX has a lot of stuff going on inside it. What it doesn't have is built in security. When AJAX we being developed in the early 2000's, the priority was getting it to work.
One of the biggest vulnerabilities, as obvious as it may be, is that an since AJAX is just a bunch of tools it has no native encoding mechanisms. Function calls are sent in plain text to the server.
Increased Attack Surface
Attack Surface is all the ways attackers can try to enter data to or extract data from an environment. All the dynamic communication across the client and server, each data request is a way in to inject malicious content.
Keeping the attack surface as small as possible is good security practice.
Asynchronous web is cool and all, but is it worth it if your data is traversing the wire in plain text and every request is a potential attack surface?
Well, there is something I've been holding back from you.
Its called HTTPS. This is HTTP with Security. It is your same syntax for HTTP requests and responses but with encrypted data flow between client and sever, making your communication safer and more secure.
What can we do as individuls?
Using secure HTTPS/SSL channels is the easiest way to prevent attacks from happening. Use modern web browsers and be sure you install updates regularly!
In 2018, Google started labeling sites lacking SSL Certificates (the certificate which once installed on the website results in an HTTPS secure URL) as “not secure”. Most browers have followed suite. Visit an HTTP site in Chrome and you'll probably see a warning like this:
HTTPS Everywhere is a handy browser extension developed by the Electronic Frontier Foundation and is available for Mozilla Firefox, Google Chrome, Chromium, and Android. It uses clever technology to rewrite HTTP requests in HTTPS for hundreds of frequently visited websites.
What can we do as app builders and webmasters?
A lot! There are a lot of ways (even easy ways) to mitigate the security vulnerabilities of using AJAX. It’s not terribly expensive or difficult to convert your site to HTTPS. It won't slow down your site or make it use more server CPU. Some web hosting companies even offer a SSL certificate for free as an incentive to host with them.
Even if you’re not dealing with credit card information, using HTTPS will make your visitors accounts safer and can increase your search ranking.
HTTPS is the norm! Get on board.
Great Hacker Moment in History
October 4th 2005.
Samy Kamkar was 19 years old when he released a cross-site scripting worm on what was at the time, the largest and most popular online social network - MySpace.
In less than a day, Samy's virus made him the 'friend' to more than a million people. It also added "but most of all, samy is my hero" to all his new 'friends' profiles.
The top-10 trafficked website was forced to shutdown to stop the onslaught.
How did he do it? Using AJAX - Javascript HTTP GETs and POSTs requests - and exploiting MySpace's oversight in preventing the injection of DIV tags. MySpace has since secured its site against the vulnerability and for a fascinating technical breakdown, check it out on Samy's personal blog.
While more experimental then malicious, Samy's worm gave the world a wake up call to the potential destruction of unsecured data requests.
Thanks Samy!
Happy Hacktober everyone!
For more information on AJAX, HTTPS, and the Samy Worm check out these resources:
https://developer.mozilla.org/en-US/docs/Web/Guide/AJAX
https://thehistoryoftheweb.com/what-does-ajax-even-stand-for/
https://www.owasp.org/index.php/Testing_for_AJAX_Vulnerabilities_(OWASP-AJ-001)
https://security.googleblog.com/2018/02/a-secure-web-is-here-to-stay.html
https://www.vice.com/en_us/article/wnjwb4/the-myspace-worm-that-changed-the-internet-forever
Top comments (3)
Fun and educational read. Happy Hacktober!
Maybe instead of reading AJAX as Asynchronous JavaScript And XML, we can read it as Asynchronous JavaScript And X ;)
Oh I like that!